Can we please post this to the appropriate place? If you have an issue with this decision that the Board actively discussed, please as the question there. There is no reason to cross-post every message to both lists. This was a swim lane issue discussed by the Board and also discussed at the face-to-face meeting we had in Rockville, MD in November.

I submitted my CVE request through Mitre who notified me that open
source software CVE requests are now processed via the Distributed
Weakness Filing before being sent to Mitre for inclusion in their
database.

This creates an obvious disconnect and potentially duplicate assignments
and confusion, if researchers are being told to go to DWF for *all* OSS
assignments. For example, Apache is a CNA and has many OSS projects, but
vulnerabilities in their software should go to them, not DWF. Could MITRE
share the text that is being sent out currently?